Using an EIP and a Third-Party Firewall to Scrub Traffic from and to the Internet
Scenarios
VPC allows you to configure and manage virtual networks. You can use security groups and network ACLs to control network access. You can also use third-party firewalls to ensure the security of cloud services.
This section describes how to use a third-party firewall to filter and scrub the traffic between a VPC and the Internet. This helps you build a secure and compliant network border and ensure secure communications between the VPC and the Internet.
Solution Architecture
- Traffic to the Internet: Service traffic from Subnet-WEB is directed to ECS-FW (firewall) for scrubbing through custom routes. After the SNAT rule translate the source IP address, the traffic is finally forwarded to the Internet through the EIP bound to ECS-FW.
- Traffic from the Internet: External Internet requests reach ECS-FW (firewall) through its bound EIP. After ECS-FW scrubs the traffic, the traffic is forwarded to ECS-WEB in Subnet-WEB through the DNAT rule (destination network address translation).
Resource Planning
In this example, you need to create a VPC, two ECSs, and an EIP. For details about the required resources, see Table 1.
The following resource planning details are only examples for your reference. You need to plan resources based on actual service requirements.
|
Resource |
Description |
|---|---|
|
VPC |
There is one VPC. For details, see Table 2. VPC-X has a default route table and a custom route table. Subnet-FW for the firewall is associated with the default route table, and Subnet-WEB for the service cluster is associated with the custom route table. The default route table controls the inbound traffic to Subnet-FW, and the custom route table controls the outbound traffic from Subnet-WEB. |
|
ECS |
There are two ECSs. For details, see Table 3. If your ECSs are in different security groups, add rules to the security groups to allow access to each other. |
|
EIP |
There is one EIP, which is bound to ECS-FW where the firewall is deployed. |
|
VPC Name |
VPC CIDR Block |
Subnet Name |
Subnet CIDR Block |
Associated Route Table |
Subnet Used to Deploy |
|---|---|---|---|---|---|
|
VPC-X |
192.168.0.0/16 |
Subnet-FW |
192.168.1.0/24 |
Default route table rtb-VPC-X |
Firewall |
|
Subnet-WEB |
192.168.2.0/24 |
Custom route table rtb-VPC-X-WEB |
Services |
|
ECS Name |
VPC Name |
Subnet Name |
Private IP Address |
EIP |
Image |
Security Group |
ECS Used to Deploy |
|---|---|---|---|---|---|---|---|
|
ECS-FW |
VPC-X |
Subnet-FW |
192.168.1.100 |
116.XX.XX.57 |
Public image: Huawei Cloud EulerOS 2.0 Standard 64 bit |
Sg-X: General-purpose web server |
Firewall |
|
ECS-WEB |
VPC-X |
Subnet-WEB |
192.168.2.229 |
None |
Services |
Procedure
- Create a VPC with subnets.
For details, see Creating a VPC with a Subnet.
For details about the VPC and its subnets in this example, see Table 2.
- Create ECSs.
For details, see Purchasing an ECS in Custom Config Mode.
For details about the ECSs in this example, see Table 3.
- Configure the network interface of ECS-FW and install a third-party firewall on ECS-FW.
- Disable source/destination check for the network interface of ECS-FW.
- In the ECS list, click the name of the target ECS.
- On the Network Interfaces tab, click
to expand the details area and check whether Source/Destination Check is disabled.
If the information shown in Figure 2 is displayed, Source/Destination Check is disabled.
- Install a third-party firewall on ECS-FW based on service requirements.
- Disable source/destination check for the network interface of ECS-FW.
- Assign an EIP and bind it to ECS-FW.
- Assign an EIP. For details, see Assigning an EIP.
- Bind the EIP to ECS-FW. For details, see Binding or Unbinding an EIP.
- Create a custom route table for VPC-X and associate Subnet-WEB with the custom route table.
- Create a custom route table for VPC-X.
For details, see Creating a Custom Route Table.
- Associate Subnet-WEB with the custom route table.
After a subnet is created, it is automatically associated with the default route table of its VPC. Therefore, Subnet-WEB is initially associated with the default route table of VPC-X. You must reassociate Subnet-WEB with the custom route table.
For details, see Changing the Route Table Associated with a Subnet.
- Create a custom route table for VPC-X.
- (Optional) Configure a virtual IP address for ECSs.
You can create two ECSs in VPC-X and bind a virtual IP address to them so that they can work in the active and standby pair. If the active ECS is faulty and cannot provide services, the virtual IP address will be dynamically bound to the standby ECS to continue providing services. Skip this step if the ECS where the firewall is deployed does not need to work in the active/standby pair.
- Assign a virtual IP address from Subnet-FW where the firewall is located.
For details, see Assigning a Virtual IP Address.
- Bind the virtual IP address to the active and standby ECSs where the firewall is deployed.
For details, see Binding a Virtual IP Address to an Instance or EIP.
- Bind an EIP to the virtual IP address.
For details, see Binding a Virtual IP Address to an Instance or EIP.
- Assign a virtual IP address from Subnet-FW where the firewall is located.
- Add routes to the custom route table.
For details, see Adding a Custom Route.
Table 4 describes the route planning.
Table 4 VPC route planning VPC Route Table
Destination
Next Hop Type
Next Hop
Route Type
Route Function
Custom route table
rtb-VPC-X-WEB
0.0.0.0/0
Server
ECS-FW
Custom
In this example, a firewall is deployed on an ECS. The route:- Has the destination of ECS-FW with the firewall deployed.
- Directs outbound traffic from Subnet-WEB to the firewall.
If the firewall is deployed on multiple ECSs and uses a virtual IP address to communicate with external networks, select the virtual IP address as the next hop of the route.
- Log in to the ECS-FW and configure SNAT and DNAT rules.
In this example, no third-party firewall is deployed. You can use iptables rules to simulate the SNAT and DNAT functions of a firewall. The SNAT rule allows ECS-WEB to access the Internet using the EIP bound to ECS-FW. The DNAT rule allows Internet traffic to be forwarded to ECS-WEB through ECS-FW.
For details, see How Do I Log In to My ECS?
- Enable IP forwarding on ECS-FW.
- Run the following command to switch to user root:
su root
- Run the following command to check whether IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
In the command output, 1 indicates that IP forwarding is enabled, and 0 indicates that IP forwarding is disabled.
- If 1 is displayed, no further action is required.
- If 0 is displayed, go to the next step.
- Run the following command to enable IP forwarding:
- Run the following command to open the /etc/sysctl.conf file:
vim /etc/sysctl.conf
- Press i to enter the editing mode.
- Modify or add the following content:
net.ipv4.ip_forward = 1 #Enable IPv4 forwarding. net.ipv6.conf.all.forwarding = 1 #Enable IPv6 forwarding if IPv6 needs to be supported.
- Press ESC to exit and enter :wq! to save the configuration.
- Run the following command to open the /etc/sysctl.conf file:
- Run the following command to make the modification take effect:
The preceding configuration takes effect permanently and does not become invalid after the ECS is restarted.
- Run the following command to switch to user root:
- Run the following command to clear the NAT rules:
- Run the following command to configure the DNAT rule:
iptables -t nat -A PREROUTING -d 192.168.1.100 -p icmp --icmp-type echo-request -j DNAT --to-destination 192.168.2.229
In this command, 192.168.1.100 is the private IP address of Subnet-FW, and 192.168.2.229 is the private IP address of Subnet-WEB. This command is for reference only. Configure the IP addresses based on actual requirements.
- Run the following command to configure the SNAT rule:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source 192.168.1.100
In this command, 192.168.2.0/24 is the IPv4 CIDR block of Subnet-WEB, and 192.168.1.100 is the private IP address of Subnet-FW. This command is for reference only. Configure the IP addresses based on actual requirements.
- Run the following commands to save the NAT rule configuration:
systemctl restart iptables
The NAT rules are temporary and apply only to this verification. They become invalid after the ECS is restarted.
- Run the following command to view the NAT rule configuration details:
If information similar to the following is displayed, the NAT rules are configured successfully:
[root@ecs-fw ~]# iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.100 icmptype 8 to:192.168.2.229 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.2.0/24 0.0.0.0/0 to:192.168.1.100
- Enable IP forwarding on ECS-FW.
- Log in to ECS-WEB and check whether it can communicate with the Internet.
ping Internet address
Example command:
ping support.huaweicloud.com
If information similar to the following is displayed, ECS-WEB can communicate with the Internet using the EIP bound to ECS-FW.PING support.huaweicloud.com.eo.dnse1.com (119.36.225.121) 56(84) bytes of data. 64 bytes from 119.36.225.121 (119.36.225.121): icmp_seq=1 ttl=47 time=16.5 ms 64 bytes from 119.36.225.121 (119.36.225.121): icmp_seq=2 ttl=47 time=16.5 ms 64 bytes from 119.36.225.121 (119.36.225.121): icmp_seq=3 ttl=47 time=16.4 ms ... --- support.huaweicloud.com.eo.dnse1.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 16.420/16.458/16.497/0.031 ms
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
